Kalina had been indicted by a federal grand jury last June on six counts, including wrongfully obtaining and disclosing health information in violation of HIPAA, and wrongfully disclosing health information with the intent to cause malicious harm.

Prosecutors say Kalina worked from March 7, 2016, through June 23, 2017, as a patient information coordinator at UPMC and its affiliate, Tri Rivers Musculoskeletal Centers in Mars, Pennsylvania. Prosecutors charge that Kalina, in violation of HIPAA, improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC.

"Specifically, on Aug 11, 2017, Kalina unlawfully disclosed personal gynecological health information related to two such patients, with the intent to cause those individuals embarrassment and mental distress," the Justice Department statement says.

Sentencing is slated for June 25. The law provides for a sentence of up to 10 years in prison, a fine of up to $250,000, or both, the Justice Department says. Kalina remains free on bond pending the sentencing hearing.

The other counts against Kalina will be a factor when the U.S. district judge sentences her in June, according to a March 7 news story in the Pittsburgh Post Gazette.

Revenge for Firing?

Prosecutors said Kalina's disclosures of patient information involved the medical records of two employees of a construction company where Kalina had worked for 24 years before being fired, according to the Post Gazette.

Prosecutors said Kalina accessed patient files of two Frank J. Zottola Construction company employees and sent an email to the firm's controller in June 2017 in which she revealed gynecological records for one of them identified as "P.W.," a woman who had taken her place at Zottola as office manager, according to the Post Gazzete.

Kalina also allegedly left a voicemail on the company's answering machine in August 2017 revealing medical information about P.W. and another employee, "C.C." That disclosure is the count to which she pleaded guilty, the newspaper reports.

The Frank J. Zottola Construction firm and UPMC both declined to comment on the case.

"What we have seen to date is that most HIPAA violations are prosecuted as a lesser offense [as part of] other crimes like healthcare fraud, activity involving cybercrimes or threats to a law enforcement officer or public official," he notes.

The facts of a case play into a finding that HIPAA was violated, he adds. In the case involving Kalina, "it is important to view this in the larger context of the motivation of why this patient coordinator at a pair of large regional health systems was misusing her authorized access to protected health information," he says.

"This individual accessed the records of scores of patients over a period of 18 months. She targeted the employees and managers of a local construction company that was a former employer, ultimately disclosing PHI in order to embarrass and harass them," he notes.

"The HIPAA criminal statute is in place precisely because even the best information security controls can be defeated by a determined insider who looks to violate the confidentiality or corrupt the integrity of a patient's PHI."

One reason for the small number of criminal cases for violation of the HIPAA statute is the limited availability of resources of the Department of Justice, Holtzman says. "It requires a lot of time and effort to investigate and prosecute a criminal case involving the HIPAA statute," he notes.

Other HIPAA Criminal Cases

Among the previous convictions in criminal HIPAA cases, a jury in a federal court in Massachusetts in April convicted Rita Luthra, a former gynecologist at a women's health center in Springfield, Massachusetts, of violating HIPAA as well as obstructing a criminal healthcare investigation (see Former Physician Convicted of Criminal HIPAA Violation).

The case against Luthra, however, was related to a larger, complex federal healthcare fraud case prosecuted against pharmaceutical maker Warner Chilcott.

Another criminal case involving HIPAA in involved Denetria Barnes, a former nursing assistant at a Florida assisted living facility, who was sentenced in 2013 to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

And also in 2013, Helene Michel, the former owner of a Long Island, New York, medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.